How Poor Medical Device Security Threatens Us, and What We Need to Do to Fix It

Healthcare

Technician giving patient MRI examination

When you enter a hospital, your eyes and ears fill with the flashing lights and beeps of the medical devices helping deliver state-of-the-art medical care to sick patients. There are heart-rate monitors, infusion pumps, radiology machines, ventilators, and so on, all hooked up to the hospital’s computer network and enabling nurses and doctors to monitor their patients’ status from a station down the hall.

All of this technology allows the medical system to deliver better care to more patients, alerting nurses when something is about to go wrong, saving patients’ lives and allowing hospitals to serve more patients with fewer staff resources. Technology has given us many of the most important advances in modern medical care. But, as Bloomberg Businessweek recently reported, many of these critical Internet of Things (IoT) enabled medical devices have significant security gaps that put patients, hospitals and device makers at serious risk.

Bloomberg authors Monte Reel and Jordan Robertson profiled Billy Rios, a white-hat hacker who is hired by the likes of Google, Microsoft, defense contractors, utilities and government security agencies to uncover security flaws in their systems before the bad guys find and exploit them. Rios was part of a team hired by Mayo Clinic to unearth vulnerabilities in their medical system. Rios was shocked by what they found.

“Every day, it was like every device on the menu got crushed,” Rios told Bloomberg Businessweek. “It was all bad. Really, really bad.” Authors Reel and Robertson wrote, “The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many – defenseless operating systems, generic passwords that couldn’t be changed, and so on.”

iStock_000054598008_MediumBad-actor hackers could have used the security gaps to change the devices’ operations – for example, dumping an entire vial of insulin into a patient’s bloodstream at once, which would probably kill the person. Somewhat fortunately, medical device hackers appear to be interested in the same thing most hackers want – your personal data to exploit and make money off of. (That’s not to say they’ll never try to exploit their ability to take our health and our lives.)

Last year, TrapX Security found that every one of more than 60 hospitals it studied had malware-infected medical devices. Hackers could inject malware throughout a hospital’s network and into medical devices which, unlike regular computers on the network, aren’t protected with antivirus software. From there, the hackers could scrape the devices to steal patients’ personal medical data which can used “to establish false identities and lines of credit, to conduct insurance fraud or even for blackmail,” said Bloomberg Businessweek.

Fortunately, thanks to people like Billy Rios, device makers, federal regulators and the health care industry are tuning into the problem and working with technology companies to strengthen device security. And I’m proud that BlackBerry is taking a leadership role on the issue, helping to protect us and our data.

David Kleidermacher, BlackBerry’s Chief Security Officer, has been working with experts from the U.S. Food and Drug Administration, Department of Health and Human Services, National Institutes of Health, Health Canada, academic researchers, physicians, device manufacturers and others. They’ve co-authored a draft cybersecurity standard aimed at shoring up medical device security across all platforms. As David recently told CNN, “you can’t raise the cybersecurity bar if you don’t know how to measure its height.” One aim of the medical device standard is to set that bar and work with device manufacturers and users to consistently achieve it.

BlackBerry has long set the standard for security, in mobile devices and enterprise mobility management, connected vehicles and now in health care. Our friends at Good Technology, now part of the BlackBerry family, are also bringing their strengths in user authentication into the fold.

I think we’re on the cusp of great things for medical device security, for protecting ourselves and for re-establishing trust with device makers and the hospitals that use them.

Have you read the Bloomberg Businessweek article? What do you think should be the priorities for medical device security? And what where would you like BlackBerry to focus its efforts? Please share your thoughts in the comments below.

Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 at MEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today at MEDSecMeeting.org.

Mobility offers enormous potential for delivering the best quality patient care, but there are a lot of issues to consider in creating a secure mobile healthcare strategy. Our new book, The BlackBerry Guide to Mobile Healthcare, and webinar series help decision makers address some of the key challenges. Click here to get your free copy of The BlackBerry Guide to Mobile Healthcare and visit BlackBerry Enterprise Webcast Central for archived webcasts on Why Home Healthcare Should Go MobileClinical Collaboration and Hospital Staff Coordination and other enterprise topics.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus